diff --git a/api/v1/models/daemon_configuration_status.go b/api/v1/models/daemon_configuration_status.go
index f55612181d..3aad3ee0ea 100644
--- a/api/v1/models/daemon_configuration_status.go
+++ b/api/v1/models/daemon_configuration_status.go
@@ -50,6 +50,12 @@ type DaemonConfigurationStatus struct {
 	// Configured compatibility mode for --egress-multi-home-ip-rule-compat
 	EgressMultiHomeIPRuleCompat bool `json:"egress-multi-home-ip-rule-compat,omitempty"`
 
+	// MAC address for host side veth interface
+	EndpointInterfaceHostMAC string `json:"endpointInterfaceHostMAC,omitempty"`
+
+	// MAC address for container side veth interface
+	EndpointInterfaceMAC string `json:"endpointInterfaceMAC,omitempty"`
+
 	// Immutable configuration (read-only)
 	Immutable ConfigurationMap `json:"immutable,omitempty"`
 
diff --git a/api/v1/openapi.yaml b/api/v1/openapi.yaml
index a93f7d34fa..04b88002b9 100644
--- a/api/v1/openapi.yaml
+++ b/api/v1/openapi.yaml
@@ -2496,6 +2496,12 @@ definitions:
       routeMTU:
         description: MTU for network facing routes
         type: integer
+      endpointInterfaceHostMAC:
+        description: MAC address for host side veth interface
+        type: string
+      endpointInterfaceMAC:
+        description: MAC address for container side veth interface
+        type: string
       datapathMode:
         "$ref": "#/definitions/DatapathMode"
       ipam-mode:
diff --git a/api/v1/server/embedded_spec.go b/api/v1/server/embedded_spec.go
index 927cea0090..32ec28791c 100644
--- a/api/v1/server/embedded_spec.go
+++ b/api/v1/server/embedded_spec.go
@@ -2310,6 +2310,14 @@ func init() {
           "description": "Configured compatibility mode for --egress-multi-home-ip-rule-compat",
           "type": "boolean"
         },
+        "endpointInterfaceHostMAC": {
+          "description": "MAC address for host side veth interface",
+          "type": "string"
+        },
+        "endpointInterfaceMAC": {
+          "description": "MAC address for container side veth interface",
+          "type": "string"
+        },
         "immutable": {
           "description": "Immutable configuration (read-only)",
           "$ref": "#/definitions/ConfigurationMap"
@@ -7435,6 +7443,14 @@ func init() {
           "description": "Configured compatibility mode for --egress-multi-home-ip-rule-compat",
           "type": "boolean"
         },
+        "endpointInterfaceHostMAC": {
+          "description": "MAC address for host side veth interface",
+          "type": "string"
+        },
+        "endpointInterfaceMAC": {
+          "description": "MAC address for container side veth interface",
+          "type": "string"
+        },
         "immutable": {
           "description": "Immutable configuration (read-only)",
           "$ref": "#/definitions/ConfigurationMap"
diff --git a/daemon/cmd/config.go b/daemon/cmd/config.go
index f7ef6cd257..d171474074 100644
--- a/daemon/cmd/config.go
+++ b/daemon/cmd/config.go
@@ -199,6 +199,8 @@ func (h *getConfig) Handle(params GetConfigParams) middleware.Responder {
 			IPV6: option.Config.EnableIPv6Masquerade,
 		},
 		EgressMultiHomeIPRuleCompat: option.Config.EgressMultiHomeIPRuleCompat,
+		EndpointInterfaceHostMAC:    option.Config.EndpointInterfaceHostMAC,
+		EndpointInterfaceMAC:        option.Config.EndpointInterfaceMAC,
 		GROMaxSize:                  int64(d.bigTCPConfig.GetGROIPv6MaxSize()),
 		GSOMaxSize:                  int64(d.bigTCPConfig.GetGSOIPv6MaxSize()),
 		GROIPV4MaxSize:              int64(d.bigTCPConfig.GetGROIPv4MaxSize()),
diff --git a/pkg/datapath/connector/veth.go b/pkg/datapath/connector/veth.go
index 7edac7e95b..94a57d21b5 100644
--- a/pkg/datapath/connector/veth.go
+++ b/pkg/datapath/connector/veth.go
@@ -62,11 +62,19 @@ func SetupVethWithNames(lxcIfName, tmpIfName string, mtu, groIPv6MaxSize, gsoIPv
 	// explicitly setting MAC addrs for both veth ends. This sets
 	// addr_assign_type for NET_ADDR_SET which prevents systemd from changing
 	// the addrs.
-	epHostMAC, err = mac.GenerateRandMAC()
+	if ep.HostMac != "" {
+		epHostMAC, err = mac.ParseMAC(ep.HostMac)
+	} else {
+		epHostMAC, err = mac.GenerateRandMAC()
+	}
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to generate rnd mac addr: %s", err)
 	}
-	epLXCMAC, err = mac.GenerateRandMAC()
+	if ep.Mac != "" {
+		epLXCMAC, _ = mac.ParseMAC(ep.Mac)
+	} else {
+		epLXCMAC, err = mac.GenerateRandMAC()
+	}
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to generate rnd mac addr: %s", err)
 	}
diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go
index 1258c1af89..400058a1b1 100644
--- a/pkg/defaults/defaults.go
+++ b/pkg/defaults/defaults.go
@@ -330,6 +330,12 @@ const (
 	// LoopbackIPv4 is the default address for service loopback
 	LoopbackIPv4 = "169.254.42.1"
 
+	// EndpointInterfaceHostMAC is set to empty to enable auto generation (default mode)
+	EndpointInterfaceHostMAC = ""
+
+	// EndpointInterfaceMAC is set to empty to enable auto generation (default mode)
+	EndpointInterfaceMAC = ""
+
 	// EnableEndpointRoutes is the value for option.EnableEndpointRoutes.
 	// It is disabled by default for backwards compatibility.
 	EnableEndpointRoutes = false
diff --git a/pkg/option/config.go b/pkg/option/config.go
index b3ffe32d05..0f4c854a2e 100644
--- a/pkg/option/config.go
+++ b/pkg/option/config.go
@@ -1039,6 +1039,12 @@ const (
 	// EndpointStatusState enables CiliumEndpoint.Status.State
 	EndpointStatusState = "state"
 
+	// EndpointInterfaceHostMAC defines MAC address for host side veth interface
+	EndpointInterfaceHostMAC = "endpoint-interface-host-mac"
+
+	// EndpointInterfaceMAC defines MAC address for container side veth interface
+	EndpointInterfaceMAC = "endpoint-interface-mac"
+
 	// EnableIPv4FragmentsTrackingName is the name of the option to enable
 	// IPv4 fragments tracking for L4-based lookups. Needs LRU map support.
 	EnableIPv4FragmentsTrackingName = "enable-ipv4-fragment-tracking"
@@ -1954,6 +1960,12 @@ type DaemonConfig struct {
 	// LocalRouterIPv6 is the link-local IPv6 address used for Cilium's router device
 	LocalRouterIPv6 string
 
+	// EndpointInterfaceHostMAC defines MAC address for host side veth interface
+	EndpointInterfaceHostMAC string
+
+	// EndpointInterfaceMAC defines MAC address for container side veth interface
+	EndpointInterfaceMAC string
+
 	// EnableEndpointRoutes enables use of per endpoint routes
 	EnableEndpointRoutes bool
 
@@ -2434,6 +2446,8 @@ var (
 		KVStoreOpt:                   make(map[string]string),
 		LogOpt:                       make(map[string]string),
 		LoopbackIPv4:                 defaults.LoopbackIPv4,
+		EndpointInterfaceHostMAC:     defaults.EndpointInterfaceHostMAC,
+		EndpointInterfaceMAC:         defaults.EndpointInterfaceMAC,
 		EnableEndpointRoutes:         defaults.EnableEndpointRoutes,
 		AnnotateK8sNode:              defaults.AnnotateK8sNode,
 		K8sServiceCacheSize:          defaults.K8sServiceCacheSize,
@@ -2999,6 +3013,8 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
 	c.L2AnnouncerRetryPeriod = vp.GetDuration(L2AnnouncerRetryPeriod)
 	c.EnableWireguardUserspaceFallback = vp.GetBool(EnableWireguardUserspaceFallback)
 	c.EnableWellKnownIdentities = vp.GetBool(EnableWellKnownIdentities)
+	c.EndpointInterfaceHostMAC = vp.GetString(EndpointInterfaceHostMAC)
+	c.EndpointInterfaceMAC = vp.GetString(EndpointInterfaceMAC)
 	c.EnableXDPPrefilter = vp.GetBool(EnableXDPPrefilter)
 	c.DisableCiliumEndpointCRD = vp.GetBool(DisableCiliumEndpointCRDName)
 	c.EgressMasqueradeInterfaces = vp.GetString(EgressMasqueradeInterfaces)
diff --git a/plugins/cilium-cni/main.go b/plugins/cilium-cni/main.go
index 217981d3a1..c6e227d1c9 100644
--- a/plugins/cilium-cni/main.go
+++ b/plugins/cilium-cni/main.go
@@ -476,6 +476,8 @@ func cmdAdd(args *skel.CmdArgs) (err error) {
 		K8sPodName:            string(cniArgs.K8S_POD_NAME),
 		K8sNamespace:          string(cniArgs.K8S_POD_NAMESPACE),
 		DatapathConfiguration: &models.EndpointDatapathConfiguration{},
+		Mac:                   conf.EndpointInterfaceMAC,
+		HostMac:               conf.EndpointInterfaceHostMAC,
 	}
 
 	if conf.IpamMode == ipamOption.IPAMDelegatedPlugin {
